Drupal is a registered trademark of Dries Buytaert
cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)! drupal 10.6.8 Update released for Drupal core (10.6.8)! drupal 11.3.9 Update released for Drupal core (11.3.9)! drupal 11.3.8 Update released for Drupal core (11.3.8)! drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! linkit 7.0.15 Minor update available for module linkit (7.0.15). views_data_export 8.x-1.10 Minor update available for module views_data_export (8.x-1.10).
← All modules

ipabuse

Security covered
View on drupal.org

IPAbuse Firewall connects your Drupal site to the ipabuse.org community-driven IP reputation database. It automatically blocks known malicious IP addresses before they can interact with your site and reports failed login attempts back to the database to help protect the wider community.

If you are new to Drupal: this module acts as a firewall layer that runs silently in the background. Once configured with a free API key, it requires no day-to-day management.

Features

  • Request-level IP blocking — Every incoming request is checked against a locally cached blocklist. Blocked IPs receive a 403 Forbidden response immediately, before Drupal bootstraps a full page.
  • Brute-force login reporting — Any failed Drupal login attempt is automatically reported to ipabuse.org, contributing to the shared threat intelligence database.
  • Cron-based blocklist sync — The module fetches an updated blocklist from ipabuse.org on every Drupal cron run, keeping your local database current without manual steps.
  • Configurable score threshold — Every IP has an abuse confidence score from 0–100. You control the minimum score required to trigger a block (default: 75), giving fine-grained control between security and false positives.
  • Manual sync and connection test — The settings page includes a "Test Connection" button to validate your API key and a "Sync Now" button to force an immediate blocklist refresh outside of cron.
  • Flood-based deduplication — Repeated reports for the same IP are rate-limited using Drupal's built-in Flood API, preventing API abuse.

When would you use this module?

  • Any public Drupal site exposed to the internet that receives login attempts, spam registrations, or scraping.
  • Sites that want passive, maintenance-free protection without managing firewall rules at the server level.
  • Organisations that want to contribute threat data back to the community alongside protecting their own sites.

Post-Installation

  1. Navigate to Administration → Configuration → Security → IPAbuse Firewall (/admin/config/security/ipabuse).
  2. Create a free account at ipabuse.org and copy your API key.
  3. Paste the API key into the API Key field and click Test Connection to confirm it works.
  4. Click Sync Blocklist Now to immediately download the first set of blocked IPs into your local database.
  5. Adjust the Minimum Score threshold if needed (default 75 is a safe starting point).
  6. Enable or disable Block IPs and Report Failed Logins independently to suit your needs.
  7. Ensure Drupal cron is running (/admin/config/system/cron) so the blocklist stays up to date automatically.

No new content types, text formats, or Views are added. The only visible change to your site is a 403 response for blocked IPs.

Additional Requirements

  • Drupal 10 or 11
  • PHP 8.1 or higher
  • An active ipabuse.org account with an API key (free tier available)
  • The User module (Drupal core — enabled by default)
  • Outbound HTTPS access from your server to api.ipabuse.org (port 443)

No additional contributed modules are required. All dependencies (Guzzle HTTP client, Symfony EventSubscriber) are provided by Drupal core.

Recommended modules/libraries

  • Automated Cron — If your hosting does not run a system cron job, this module ensures cron fires on page requests so the blocklist syncs regularly.
  • Security Review — A complementary module that audits your site's security configuration and works well alongside active IP blocking.

Similar projects

  • Flood Control — Manages Drupal's built-in flood limits for login attempts. It limits repeated attempts from one IP but does not check a reputation database or block known bad actors proactively. IPAbuse Firewall is complementary, not a replacement.
  • Ban (Drupal core) — Lets administrators manually ban individual IPs via the UI. IPAbuse Firewall automates this using a continuously updated community database instead of a manually maintained list.
  • Antibot — Targets automated bots via JavaScript challenges on forms. IPAbuse Firewall operates at the IP reputation level regardless of browser behaviour.

Supporting this Module

IPAbuse Firewall is developed and maintained by the ipabuse.org team. Using the service (even on a free plan) directly supports continued development of both the module and the threat intelligence database.

If you find this module useful, please:

  • Star the project on Drupal.org
  • Submit abuse reports through your Drupal site to grow the shared database
  • Report bugs or feature requests in the issue queue

Community Documentation

Activity

Total releases
2
First release
May 2026
Latest release
11 hours ago
Release cadence
0 days
Stability
50% stable

Releases

Version Type Release date
1.0.0 Stable May 24, 2026
1.0.x-dev Dev May 24, 2026